Re: Adding the Certificate Templates to the Certification Authority
From: Randy Franklin Smith (rsmith_at_ultimatewindowssecurity.com)
Date: Wed, 12 Jan 2005 17:07:03 -0800
As Steven said, but to be more specific you can use the built-in "Computer"
and "User" certificates for wi-fi. They work fine and can be deployed by
Win2k or W03 standard edition servers. Before switching to PEAP think about
the risks. To get onto you LAN all the attacker needs is to guess one of
your user's passwords.
Randy Franklin Smith, CISA, SSCP, Security MVP
Creator of the Ultimate Windows Security training courses
"Steven L Umbach" <firstname.lastname@example.org> wrote in message
> Yes, version 2 templates are only available from a W2003 Enterprise CA.
> The link below for Windows 2003 WIFI has a bunch of articles. You can use
> the older templates for users for users and for computers to obtain the
> necessary certificates [it worked for me]. It is much easier to set up on
> XP, though MS does have 802.1X download for Windows 2000. I have not had
> much luck with WPA using Windows 2000. XP has WPA supplicant built in and
> you will need the Funk supplicant [ not free last time I checked] or one
> from the wireless card manufacturer IF they provide one. You may just want
> to use PEAP which does not require certificates on the clients. With PEAP
> you still will have much improved security due to dynamic WEP. EAP-TLS is
> nice however on that it insures that more than a logon name/password is
> required to gain access to the WAP which can keep unauthorized computers
> off the network. I believe there is also a wireless newsgroup for
> Microsoft that you may post in to see if others have tried what you want
> top do. --- Steve
> "Michael Shire" <MichaelShire@discussions.microsoft.com> wrote in message
>> Still following the Microsoft Securing WLANs deployment guide. I'm
>> the certificate templates to the CA, but the newly created (duplicated)
>> don't show up on the "New->Certificate Template to Issue" list.
>> The Certificate Templates say the "Minimum supported CAs" are Windows
>> Enterprise Edition. If I don't have Enterprise Edition on the CA, I
>> guess I
>> can't issue those templates.
>> Q1: Is this because they are V2 templates?
>> Q2: Is there a "Build Guide for Securing Wireless LANS - A Windows
>> *2000* Certificate Services Solution"?
>> Q3: If I don't want to install Win2K3 EE on the CA, is there another
>> adequate template I can use for users, computers, and servers?
>> FYI, I'm going into this PKI solution with my users on a NT4 domain. All
>> users are in a Windows 2000 native mode AD, configured with SIDhist
>> to the NT4 account. My wireless PCs will be Windows 2000 which means no
>> or auto-enrollment. I figured I can get around the V2 enrollment by
>> the Web.
>> Q4: Did I bite off more than anyone else would attempt to chew?